Many Patches Get Replaced
When it comes to Microsoft Patch Tuesday, August might just be better classified as a do-over. Of the 11 bulletins released today, 7 of them replace former bulletins. The bulletins being replaced are an interesting diversion in their own right. One dates back to 2003 while others were just released in the past few months. In one case, MS08-026 a remote execution in Word, has now been superceded by three new bulletins this month.
08-041 replaces 03-038
08-042 replaces 08-026
08-043 replaces 08-026 and 08-14
08-044 replaces 06-039
08-045 replaces 08-031
08-048 replaces 07-056
08-051 replaces 06-058 and 08-026
Is this a case of bad patch or new vulnerability? In all likelihood, the replacements signify a bit of both. A common tactic for any researcher is a history lesson in what you are investigating. By focusing your microscopes on older patches, 2 sets of clues are generally reveled - where code changed and what kind of changes occurred. The 'where' and the 'what' of any code base tells a lot. Where code was altered gives a researcher clues as to important locations for further inspection. Similarly, the 'what' tells a researcher what kind of functions or routines have been problematic in the past and might prove to be troublesome again. Chances are we are seeing additional fixes for past vulnerabilities as well as new flaws found by means of these history lessons.
Kill Bits Galore
Security advisory 953839 was also published today. The intent on this cumulative security update is to issue new kill bits for known vulnerable controls. A kill bit is a value in the registry, which instructs your computer not to execute the control if it is requested. This does not remove or update the vulnerable code, it just simply tells your computer not to run it. In today's update, we received roughly 90 kill bits on class identifies related to products by Aurigma and another 20+ on products from HP.
This is not the first time that Microsoft has utilized patch Tuesday to distribute kill bit settings from third party applications. While this method may be viewed as novel now, it will soon become relentless and tiresome as time moves forward. The reason is partly based on what we learned from Microsoft at last week's BlackHat talk. Microsoft announced their new security initiatives, one of these being their active efforts to deliver a holistic more secure system to Windows users, even if it means finding bugs in 3rd party products. Going forward, we can expect Microsoft to find vulnerable ActiveX controls and issue kill bit updates on patch Tuesday, thus making Windows generally more secure and providing the 3rd party vendor time to release proper updates for their software.
Comments (1)
Blog Post FAIL!
Where is the do over? These are supercession patches. They include previous fixes ALONG WITH new fixes.
MS08-041 replaces MS03-038 and patches CVE-2008-2463
MS08-042 replaces MS08-026 and patches CVE-2008-2244
MS08-043 replaces MS08-014 & MS08-026 and patches CVE-2008-3004, CVE-2008-3005, CVE-2008-3006 & CVE-2008-3003
MS08-044 replaces MS06-039 and patches CVE-2008-3019, CVE-2008-3018, CVE-2008-3021, CVE-2008-3020 & CVE-2008-3460
MS08-045 replaces MS08-031 and patches CVE-2008-2254, CVE-2008-2255, CVE-2008-2256, CVE-2008-2259, CVE-2008-2257 & CVE-2008-2258
MS08-046 patches CVE-2008-2245
MS08-047 patches CVE-2008-2246
MS08-048 replaces MS07-056 and patches CVE-2008-1448
MS08-049 patches CVE-2008-1457 & CVE-2008-1456
MS08-050 patches CVE-2008-0082
MS08-051 replaces MS06-058 & MS08-026 and patches CVE-2008-0120, CVE-2008-0121 & CVE-2008-1455
All of these CVEs are 2008! These are new vulns.
Posted by Jay Graver | August 12, 2008 4:14 PM
Posted on August 12, 2008 16:14